Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 15, 2021, 9:24 a.m.	Sept. 15, 2021, 9:37 a.m.

Size	7.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2bd18b0ce7aa8dfaee0e922090aae138`
SHA256	`e11a90704ac0ea7eacb7d9eeda4a6db1e6fb3f21402d06429617f9af69d0a1b8`
CRC32	`FEB73373`
ssdeep	`96:2qUneX10H8fJTIbuAFo+7Ptboynun/AqyCtGdYX7E:aeX7aP1oynW/A0eG`
PDB Path
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

loadetc.exe "C:\Users\test22\AppData\Local\Temp\loadetc.exe"
1948
- wincfg.exe C:\Users\test22\wincfg.exe
  2264
  - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\CE5.tmp\CF5.tmp\CF6.bat C:\Users\test22\wincfg.exe"
    2452
- cmd.exe "C:\Windows\System32\cmd.exe" /c shutdown /r
  2292
  - shutdown.exe shutdown /r
    1664

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.67.188.154	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.84:80 -> 192.168.56.102:49163	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.102:49163 -> 185.215.113.84:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49163 -> 185.215.113.84:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.84:80 -> 192.168.56.102:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.84:80 -> 192.168.56.102:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 15, 2021, 9:28 a.m.	buffer: Press any key to continue . . . console_handle: 0x0000000000000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 15, 2021, 9:35 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.215.113.84/ec.exe

Performs some HTTP requests (1 event)

request

GET http://185.215.113.84/ec.exe

A process attempted to delay the analysis task. (1 event)

description

loadetc.exe tried to sleep 135 seconds, actually delayed analysis time by 4 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\wincfg.exe
file	C:\Users\test22\AppData\Local\Temp\CE5.tmp\CF5.tmp\CF6.bat
file	C:\Users\test22\AppData\Local\Temp\CE5.tmp\Defender.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 15, 2021, 9:24 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000ac filepath: C:\Users\test22\5tyuuow.txt desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\5tyuuow.txt create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (3 events)

cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\CE5.tmp\CF5.tmp\CF6.bat C:\Users\test22\wincfg.exe"
cmdline	cmd.exe /c shutdown /r
cmdline	"C:\Windows\System32\cmd.exe" /c shutdown /r

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 15, 2021, 9:25 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c shutdown /r filepath: cmd.exe	1	1	0
ShellExecuteExW Sept. 15, 2021, 9:28 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\CE5.tmp\CF5.tmp\CF6.bat C:\Users\test22\wincfg.exe" filepath: C:\Windows\System32\cmd	1	1	0

An executable file was downloaded by the process loadetc.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 15, 2021, 9:24 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdE@]ð/2bC@ÀDñÈ ¨BÐÔ¨öH.codeZ\ `.textµp` `.rdata=KLf@@.pdata request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\CE5.tmp\CF5.tmp\CF6.bat C:\Users\test22\wincfg.exe"
cmdline	cmd.exe /c shutdown /r
cmdline	shutdown /r
cmdline	"C:\Windows\System32\cmd.exe" /c shutdown /r
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\CE5.tmp\CF5.tmp\CF6.bat C:\Users\test22\wincfg.exe"

Communicates with host for which no DNS query was performed (2 events)

host	172.67.188.154
host	185.215.113.84

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration				reg_value	C:\Users\test22\wincfg.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Configuration				reg_value	C:\Users\test22\wincfg.exe

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\wincfg.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2264 resumed a thread in remote process 2452
NtResumeThread Sept. 15, 2021, 9:28 a.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 2452	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Win32.Generic.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.Malware.S!dld!.CD6F7FD7
FireEye	Generic.mg.2bd18b0ce7aa8dfa
McAfee	Artemis!2BD18B0CE7AA
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZexaF.34142.auW@aqugTtpi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/TrojanDownloader.Tiny.NTK
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.Win32.Generic
BitDefender	Generic.Malware.S!dld!.CD6F7FD7
Avast	Win32:MalwareX-gen [Trj]
Tencent	Win32.Trojan-downloader.Generic.Huzp
Ad-Aware	Generic.Malware.S!dld!.CD6F7FD7
Emsisoft	Generic.Malware.S!dld!.CD6F7FD7 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.zt
Sophos	Mal/Generic-S
eGambit	Unsafe.AI_Score_97%
Avira	TR/Crypt.XPACK.Gen
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Generic.Malware.S!dld!.CD6F7FD7
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.C4204685
Acronis	suspicious
VBA32	suspected of Trojan.Downloader.gen
ALYac	Generic.Malware.S!dld!.CD6F7FD7
MAX	malware (ai score=87)
Malwarebytes	Generic.Malware/Suspicious
Rising	Trojan.Generic@ML.100 (RDMK:ymjbG3a0zhHo1Vz5kgmlLQ)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.ce7aa8

loadetc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All